Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: What Happens When Bypass has been Enabled on the device?

Carbon Black Cloud: What Happens When Bypass has been Enabled on the device?

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: All Versions
  • Microsoft Windows: All Versions
  • Apple MacOS: All Versions

Question

What affect does enabling Sensor Bypass (Endpoints > Select Sensor > Take Action > Enable Bypass) have on Sensor activity?

Answer

Protection and Monitor Status

  • Policy Rules are not enforced so the Sensor is not actively protecting the device
  • The Sensor will not send any new data to the Carbon Black Cloud console while it is in Bypass

Remote Investigation

  • All device activity prior to Bypass being enabled will still be available on the Investigate Page in the Console
  • Administrators can continue investigating a device from the PSC Console (Investigate Page, Live Response, Live Query, etc..) 
  • VMware Carbon Black Support will still be able to to pull sensor logs from the device while in quarantined mode
Local Sensor Activity
  • The Sensor still locally logs system information, such as CPU and memory use
  • The Sensor maintains the local databases by removing stale records and removing files that have been deleted 
  • The Sensor still checks in to confirm configuration, policy rules, and requested sensor actions
  • Signature updates for local scanner still occur 
  • Repmgr is still running, it checks the reputations of any interesting files accessed.
  • This activity is recorded and stored locally though not uploaded to the Console

Related Content


Was this article helpful? Yes No
50% helpful (1/2)
Article Information
Author:
Creation Date:
‎09-02-2020
Views:
6675
Contributors